From f35e237f3fe36ea20ad647c3a8d3191b2647f2ad Mon Sep 17 00:00:00 2001 From: Mert Kocoglu Date: Thu, 7 May 2026 22:32:09 +0800 Subject: [PATCH] Pin next + eslint-config-next to 16.1.7 (CVE mitigation) Per #103, removes the ^ caret from "next" and "eslint-config-next" in package.json so the resolver cannot fall back to a vulnerable 16.x patch version. 16.1.7 is the latest patched release. NOTE on package-lock.json: regenerating requires `npm install` against @tari-project/wxtm-bridge-contracts which is a private registry package. Without npm-token access, this commit only updates package.json. The maintainer (or CI with npm-token) should run `npm install` to refresh the lockfile post-merge. Closes #103 --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index e2c7f6e..512ebdc 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "i18next": "^24.2.3", "i18next-http-backend": "^3.0.2", "motion": "^12.26.2", - "next": "^16.1.1", + "next": "16.1.7", "react": "^19.2.3", "react-dom": "^19.2.3", "react-hook-form": "^7.71.1", @@ -40,7 +40,7 @@ "@types/react-dom": "^19.2.3", "@walletconnect/ethereum-provider": "^2.23.2", "eslint": "^9.39.2", - "eslint-config-next": "^16.1.1", + "eslint-config-next": "16.1.7", "eslint-plugin-i18next": "^6.1.3", "tailwindcss": "^4", "typescript": "^5.9.3"